The free CTF Challenge web site “hackmyvm.eu” have an other easy level vm called ‘comingsoon‘ for us to download, enumerate and get some flags. This was another inserting one from them which had one interesting step that I found challenging. In this write-up I try to describe my method and thought process on how I completed this hackmyvm comingsoon CTF challenge.
Setup for hackmyvm comingsoon
The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.12 – This is the Comingsoon vm.
For enumeration of the hackmyvm comingsoon Challenge I will be using my BackArch system build that I created in previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.
First command to run is nmap for network services enumerations
nmap -T5 -F -sV -sC 192.168.186.12
As there is an apache server running on port 80 and also ssh on port 22.
Using gobuster we can find some interesting files and directories.
gobuster dir -w /usr/share/dirb/wrodlists/common.txt \ -u http://192.168.186.12 -x txt,php,html | grep 200
“notes.txt” looks interesting so let’s remember it.
As the “http” port 80 is already open, so lets take a look in “firefox“
First there is the file the notes.txt that we came across with gobuster and we can open it in “firefox“.
Interesting, it implies that there are backups somewhere, so lets also keep this in mind.
Lets look at the main web page.
Nothing much there, lets look at the source code
Interesting, EnableUploader looks like a header. We can reload the page into burpsuite.
There is an encoded cookie and you can decoded it in burpsuite
So its “base64” encoded and has our “EnableUploader” header set to “false”. If you are using Burp Proxy the Cookie can be modified so it’s “true” instead of “false” and reload the page.
Inside the decoder type the word “true” and encoded it into base64. Then replace the section after the “=” with this new string and forward from burpsuite.
Now there is a new upload link. With this upload link a reverse php shell can be uploaded. For this, the pentestmonkey reverse shell php script works perfect. The IP address and the Port can to be modified inside this script. The port can be left at the default of 1234.
Seems the uploader does not like php files so rename it so it has a “.phtm” extension. In this case “go.phtml”
This worked a treat.
The uploader put the php script into the “/assets/img/folder. Using a combination of “curl” and “netcat” a reverse shell can be spawned.
In the enumeration host run a netcat command with the same port as you put into the reverse shell script. In on terminal run
nc -nvlp 1234
And in the other (change your ip to match)
All going well this will spawn a reverse shell, but it needs to be stabilized with the below commands.
python3 -c "import pty;pty.spawn('/bin/bash')" export TERM=xterm <CTRL + Z> stty raw -echo; fg
from the earlier file we found “note.txt” it can be safely assumed there is some sort of backup existing on the system, so lets do a search for any backup files.
find / --name backup\* 2>/dev/null
There is a backup file so lets copy it to our enumeration machine.
In the reverse shell window type
cd /var/backups python3 -m http.server
Just download the file locally and unzip it. Inside there is a copy of the shadow and passwd file in this backup archive.
Using the unshadow command we can get the password cypher and brute force it with john the ripper.
unshadow passwd shadow > ./unshadow john --wordlist=/opt/rockyou.txt ./unshadow --format=crypt
Now the password is available so su – to the scpuser is possible. Once access is available for the scpuser home directory we have some interesting files to look at. First the user.txt which contains the CTF user Flag and second is a file called .oldpasswords
Take a look at .oldpasswords file
The previous root passwords were all popular animated movies. Lets try and brute force the root password against the top 100 animate movies.
Before we do the brute force we need to review a list of movies.
- Grab a list of 100 top animated movies from from the internet,
- Keep the case and remove spaces.
- Such a list exists already at my github page already completed.
- su – can be quite slow to brute force as there is a 5 second gap between tries. You can use my “verify su” script to automate this process.
Once the list is created it can used to brute force the “su -” password. It can either be done manually or it can be done via my python script.
su - password:
Or with my script.
The previous steps should give you the root password and from there you can do “su -“. Input the password and then you have the root access.
This was an interesting room because it give me some challenge with the password list.